PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-6306 Debian CVE debrief

CVE-2017-6306 is a directory traversal vulnerability in ytnef, affecting versions before 1.9.1. The flaw is tied to filename handling in settings.c (SanitizeFilename), where an attacker could influence path construction and potentially write files outside the intended directory. NVD rates the issue HIGH with a CVSS 3.0 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Public references include Debian, the upstream pull request, an oss-security posting, and an X41 advisory.

Vendor
Debian
Product
CVE-2017-6306
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-24
Original CVE updated
2026-05-13
Advisory published
2017-02-24
Advisory updated
2026-05-13

Who should care

Administrators and users of ytnef, especially systems that automatically process TNEF/"winmail.dat" attachments. Debian maintainers and anyone shipping ytnef-based packages should verify they are on a fixed release. Security teams should pay attention where untrusted email attachments are handled on desktops, mail gateways, or document-processing workflows.

Technical summary

NVD classifies the weakness as CWE-22 (path traversal). The affected product is ytnef versions through 1.9, with the fix landing in 1.9.1. The vulnerability is associated with the SanitizeFilename function in settings.c, indicating that insufficient filename sanitization could allow traversal out of the intended directory. The CVSS vector reflects a local attack that requires user interaction but can still have high confidentiality, integrity, and availability impact.

Defensive priority

High for any environment that processes untrusted TNEF content; otherwise medium priority. The attack requires local access and user interaction, but the impact is severe if the software is used to unpack attacker-controlled attachments.

Recommended defensive actions

  • Upgrade ytnef to 1.9.1 or later.
  • If ytnef is packaged by your distribution, confirm the vendor package includes the fix (for example, Debian advisories reference the issue).
  • Treat TNEF attachment processing as untrusted input and restrict where extracted files may be written.
  • Review any downstream tooling that calls ytnef or uses its filename sanitization logic.
  • Monitor mail clients, gateways, and desktop tools that can auto-open or auto-extract .winmail.dat content.
  • Validate that patched versions preserve path confinement when extracting filenames.

Evidence notes

All core facts are supported by the NVD CVE record and the linked references. NVD lists the weakness as CWE-22 and the CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The NVD cpe criteria mark ytnef versions up to 1.9 as affected, and the description states the issue is fixed in 1.9.1. Reference links include Debian DSA-3846, an oss-security post, GitHub pull request #27, a SecurityFocus entry, and an X41 advisory.

Official resources

Publicly disclosed on 2017-02-24. The source corpus includes mitigation and patch references from 2017-02-15 and later. The NVD record was modified on 2026-05-13, which is not the disclosure date.